The present invention detects bidirectional sessions of flows for finding P2P botnets. Unidirectional flows are combined to obtain the bidirectional sessions. The present invention is a method based on Netflow. The purpose is to highlight bidirectional sessions in a unidirectional Netflow log for determining malware activities. In addition, the present invention uses megadata for development and is implemented on MapReduce platform. Through a novel multi-layer unsupervised grouping algorithm for exploring similar bidirectional sessions, activities of the P2P botnet are analyzed. The novel grouping algorithm is coordinated with density-based clustering process to repeatedly analyze the Netflow log. Each algorithm layer extracts out a group and, in the end, collections with similar malicious behaviors are clustered out. At last, an actual Netflow log is used to prove that the present invention has a reliability up to 95%. Thus, the present invention can effectively strengthen national security information.
展开▼
